Addressing Information Security at Its Root: Insecure Software

Insecure software continues to be the dominant root cause for the hacking incidents cataloged in the Verizon Data Breach Investigations Report. Unfortunately, most organizations tend to emphasize detective and corrective controls with respect to application security rather than preventive controls. A 2012 report from Quocirca found that nearly all organizations use static/dynamic vulnerability scanning or web application firewalls as their primary approach to application security.

Until recently, organizations had to rely on some combination of education and manual, expensive techniques such as threat modeling to holistically integrate security into software requirements and design. The emergence of commercial off-the-shelf (COTS) and in-house developed secure application life cycle management (SALM) tools is helping close this gap.

SALM tools are decision-tree systems that provide a tailored set of security requirements from a large knowledgebase through user-supplied criteria. Think of them like tax planning for application security: Users provide details about the technology stack, compliance requirements and features of their software, and get back a tailored set of requirements and verification tasks to ensure that their software is secure. SALM tools provide the scalability organizations need to effectively integrate preventive application security controls.

The second factor is still largely missing. Despite being specified in audit frameworks, such as the Payment Card Industry Data Security Standard Section 6.5, auditors rarely request evidence of secure software development practices, apart from superficial knowledge of the OWASP Top 10. The information security budget and goals tend to be heavily focused on compliance and audit findings, rather than security best practices. As a result, development teams focus on audit findings—namely detective and corrective controls—while still producing insecure software. This approach is cost-inefficient; according to IDC, fixing a security defect in static analysis is 6.5-times more expensive than fixing it in design. Moreover, studies show that static analysis can only detect up to 40% of preventable defects, which leads to greater risk.

Organizations have the potential to substantially improve software security. Now they need the support of the controls audit community to make it happen.

THIS WEBSITE USES INFORMATION GATHERING TOOLS INCLUDING COOKIES, AND OTHER SIMILAR TECHNOLOGY.
BY USING THIS WEBSITE, YOU CONSENT TO USE OF THESE TOOLS. IF YOU DO NOT CONSENT, DO NOT USE THIS WEBSITE. USE OF THIS WEBSITE IS NOT REQUIRED BY ISACA.
OUR PRIVACY POLICY IS LOCATED HERE.